Saturday, February 11, 2017

sccm wsus shared database

If you have an environment with few thousand clients and often the clients are roaming in between various SCCM software update points, that will lead to lot of issues including generating WAN traffic and client update scan failures.

To overcome these common issues, consider implementing shared database in-between all the software update points.

The core requirements for sharing WSUS database;
- All the WSUS services must be same version
- Same WSUS patch levels across the all the WSUS servers
- Consider the network latency if the remote database is on WAN

The scenario is, I have a standalone SUP which is an upstream server already installed. Now i want to add 2nd SUP as a replica server and use the existing WSUS database on the first SUP (Upstream server).

For convenience and easy to understand, i have devided this article into 4 main categories.

Configure WSUS content folder permissions:
In order to the downstream server to access the WSUS contents folder on the upstream server, the WSUS content folder need to be shared with all the downstream (replica) WSUS servers. All the WSUS servers in the hierarchy requires full permissions on the WSUS folder. Folder security permissions and NTFS permissions set to full control.

1. Logon to the upstream WSUS server, browse to the location of WSUS content folder
2. If the WSUS folder is not already shared, Share the folder using Share tab
3. Add the replica server name to the share and give read and write permissions
4. Go to Advanced Sharing on the Sharing tab of the WSUS folder properties
5. On Advanced sharing window, click on Permissions
6. On permissions for WSUS window, click on Add
7. Add the replica server and give Full control then click OK
8. Click OK on Advanced Sharing window
9. Click on Close on WSUS folder Properties window.
10.  At the end the permissions should look as below;

Configure permissions on WSUS database:
If WSUS is configured to use shared database, then all the servers in WSUS hierarchy requires appropriate permissions (dbo Schema and web Service) on the database.
1. Logon to a server / WSUS SQL Server, where SQL management Studio is installed. 
2. Connect to the WSUS database using SQL Management studio.
3. From SQL Management studio object explorer expand the security node;

4. Right click on Login node then select New Login,

5. On Login - New window, enter the new WSUS replica (down stream)server name;
Note: Do not use the search button as it cannot find the server.
         Enter domain\servername$ format
6. On the same window go to User Mapping tab then select the database SUSDB, the username will  
    be auto populated with WSUS server name, then select dbo for default schema using the browse
    Under Database role membership for SUSDB, select webServices, along with public (this will be       selected by default).
    Click OK to close the Login-New window.

Installing replica WSUS and configure to use shared database:
We will be installing WSUS server role from Server Manager on the replica server.
1. Launch Server manager then click on Add roles and features;

2. Click next on before you begin window;

3. Select role based or feature-based installation then click next;

4. On select destination server window click next;

5. Under select server roles, scroll down then select Windows server update Services then click next;

6. On select Features, select .NetFrmaework 3.5, Remote Differential Compression then click next;
    (If it is not already installed)

7. Windows Server update Services window will launch, Click next on the window;

 8. On Select role services select WSUS Services and Database then click next;

9. On Content location selection window enter the upstream server WSUS content location path as an     UNC path then click next;

10. On database instance selection window enter the upstream server name  or WSUS SQL server  
      name then click on check connection;

If IIS roles not already installed, you will be prompted with aditional instllation wizards.
Also if you choose to install .Net 3.5, we have to provide Server 2012 R2 media source location to complete the installation.

11. Review the settings then click on Install;

12. Once the installation is complete, close the window. The installer will advise regarding the post-  
      install configuration. At this stage DO NOT configure any post install configuration

The reason to not to run the post install configuration is, we have to apply 2 hot fixes for WSUS 6.0 (or Windows Server 2012 R2). This step is not required for Windows Server 2016.

13. Install update KB3095113;

14. When the installation is done, close the installer window.

15. Now install  KB3159706. This hotfix requires a post-install servicing manual step.

16. When the installation is done, close the installer window.

17. After installing both the updates, even though server wont prompt for restart, It requires a reboot         to configure the installed updates.
     So reboot the server before running the post-install configuration;
  After the reboot (post install KB3159706) we need to run "C:\Program Files\Update  
  Services\Tools\wsusutil.exe" postinstall /servicing to prepare the WSUS. However, if we run the  
  servicing command, it fails to locate the SQL server. The reason for this, by default the WSUS role
  installation configures the local SQL instance in the registry. We don't have local SQL installed so it
18. Open regedit.exe with elevated permissions then go to HKLM\Software\Microsoft\Update 
     Services\server\Setup then find SQLServerName  key change the default server name to the
     actual SQL server name where SUSDB is hosted.

Below is the original registry settings;

Updated registry setting with correct SUSDB server name;

Close the regedit.exe after applying the changes.
19. Now, launch services.msc as administrator, then find WSUS service.
      If WSUS service start-up type is Disabled then change it to Automatic then Start the service

20. Run post hotfix KB3159706 install task by executing this command on an elevated command  
     prompt "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

21. If every thing is configured correctly, the command will complete successfully.
 22. After servicing  Add HTTP activation feature by going to Server manager (If it is not install

23. Launch the WSUS console from Control Panel\All Control Panel Items\Administrative Tools
     The WSUS console will prompt for the post installation tasks, with Complete WSUS Installation        window;

24. Enter / make sure the DB instance and content directory path is correct then click on Run.
      If everything configured correctly you will see post-installation successfully completed message;

25. Once you close the WSUS installation window, the wizard will launch the WSUS console.
      Close WSUS console with out configuring anything.

Installing Software Update Point:
Installing a software update site system role is same as upstream SUP.
1. Open SCCM Console then go to \Administration\Overview\Site Configuration\Sites then Right    
   click on Servers and Site System then select Create a Site System server Roles

2. Enter the new replica WSUS server name then click next;

3. Click next on specify Internet proxy server;

4. Select Software Update Point  on the system role selection then click next

5. Select WSUS is configured to use ports 8530 and 8531 for client communications then click next;

6. Click next on proxy and account settings;

7. Review the summary of the site system server role creation wizard then click next

8. Click on Close to exit the wizard

9. Wait 15-20 min, then review SUSSetup.log
   The log should have entries for installation status.

10. Initially SCCM console will display the status of the replica server is not synchronised.

11. Wait for an hour or 2, before the initial sync to happen. Once the first synchronisation successful          then both the SUP's will show as below with same catalog version number.


  1. THe WSUS content directory is still pointing to %program files%\WSUS instead of the network share in your registry. It should point to the network path according to this article

  2. Thanks Venu.
    WSUS shared DB made easy with this article.